SEC Cyber Breach Resulted in Access to Personally Identifiable Information
At least two individuals had their names, dates of birth and social security numbers accessed by third parties as a result of the SEC’s 2016 cyber breach, Commission chairman Jay Clayton disclosed October 2. His disclosure also left open the possibility that the agency’s internal review might uncover more individuals with accessed personally identifiable information.
"The 2016 intrusion and its ramifications concern me deeply," he said. "I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward." While Clayton added that the review and remediation efforts are ongoing "and may take substantial time to complete," he said that he believes it is important to provide new information about the intrusion and the steps the SEC is taking. The October 2 update, then, may be the first of several.
The cyber breach was first revealed to the public by Clayton on September 20, 2017. He said at that time that he had learned the month before of the 2016 penetration of the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. Agency staff use EDGAR to perform automated collection, validation, indexing, acceptance, and forwarding of submissions by investment advisers, broker-dealers, companies and others.
The disclosure resulted in a firestorm of concern about the security of investor information, as well as about unanswered questions, in the asset management industry, including from former agency officials, defense attorneys, advisory firms and others concerned about the security of the information that their clients provide to the SEC. There is also concern about providing additional information to the agency in the near future through its planned Consolidated Audit Trail (CAT), and on recently added forms, such as Form PF. Following Clayton’s disclosure, the SEC launched a new cybersecurity initiative, and Clayton addressed the issue before already-scheduled Senate and House hearings.
"There are a lot of people calling for the suspension of certain filings that already exist, as well as new ones, like the CAT," said Mayer Brown partner Amy Pershkow. "The SEC needs to review whether its systems are secure enough to continue with them."
Pershkow also suggested that the SEC falling short in cybersecurity may affect its enforcement tone. "It will be interesting to see if this results in a change in the enforcement cases brought by the agency staff, perhaps with more sympathy" for what those in the private sector are experiencing.
Advisory firm Spring Mountain Capital chief compliance officer Aaron DeAngelis said that he is "concerned" about the cyber security breach, "but what are you going to do? I will still comply with my required filings, such as Form PF, in a timely manner. But I think the Commission may want to think about extending filing deadlines until the breach is fixed."
"Until there is an exhaustive report on what happened here, there are going to be questions," said Buckley Sandler partner and former SEC Office of Market Intelligence chief Thomas Sporkin. "Someone needs to explain exactly what information was accessed, the weaknesses in the SEC systems that were exploited, how the escalation process at the agency is supposed to work, and how the escalation process actually worked in this instance."
Taking a step back from the breach and looking at it from a distance, some are asking whether the asset management industry’s concerns about these cyber breaches is warranted. "They are a big deal in the same way that Hurricane Maria was a big deal," said Stern Tannenbaum partner Aegis Frumento. "They are rare, but they are going to happen. Computer systems are going to get hacked. It’s going to happen. Every large computer system is always out of date because it can’t be upgraded fast enough and ensure its functionality."
"The question is what realistically can be done about them," he said. "The entire agency can’t be revamped. It just doesn’t work that way. The SEC has to identify its vulnerable areas and migrate the data from those areas – kind of a band aid approach – while new systems are put in place, with the knowledge that, in time, those new systems will also be hacked."
PII violations found
Now, with his October 2 announcement, Clayton is revealing that two individuals have experienced violations of their personally identifiable information, and raised the possibility that more might be uncovered. He also used the update to announce more details of the SEC’s internal investigation into the breach, and plans to raise the agency’s "cyber profile" further in the future.
"The ongoing staff investigation of the 2016 intrusion has now determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals," he said. "This determination is based on forensic data analysis conducted since the agency’s Sept. 20 disclosure of the intrusion which relied on the latest information available at that time."
Clayton said he was informed by SEC staff of the new information on September 29, and that staff "are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services."
He also said this: "Should the agency’s review uncover additional such individuals whose sensitive information may have been accessed, the staff will contact them and offer them identity protection and monitoring, as well."
The internal investigation
Clayton elaborated further on the steps being taken by the SEC in regard to both the EDGAR breach and generally assessing and improving both EDGAR’s and the agency’s "cybersecurity risk profile." He described the following "five principal work streams:"
Review of the 2016 EDGAR breach by the SEC’s Office of the Inspector General. "Staff have been instructed to provide their full cooperation with this effort," he said.
Investigation by the Division of Enforcement into the potential illicit trading that resulted from the EDGAR breach. This review, as well as the OIG review, are the ones likely to determine whether there are more cases of personally identifiable information being compromised.
A focused review of and, as necessary and appropriate, "uplift" of EDGAR. "The EDGAR system has been undergoing modernization efforts," Clayton said. "The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity issues." (See below for some of the results from the OIG’s September 28 report on its audit of the agency’s progress in "enhancing and redesigning" EDGAR.)
Assessment and uplift of the SEC’s cybersecurity risk profile. The "more general" assessment and possible resulting changes will include "efforts that were initiated shortly after [Clayton’s] arrival at the Commission this past May," the agency said. They will include, "without limitation, the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information." The inclusion of the CAT in this work stream is significant, as it is due to begin operation in November, and some industry analysts question whether use of this comprehensive transaction database should be postponed until the cyber breach investigation is concluded and resolved.
The SEC’s own internal review – separate from that being conducted by the OIG – into the 2016 EDGAR intrusion. Among the conclusions to be determined, according to the October 2 update, are "the procedures followed in response to the intrusion." The review is being overseen by the Office of General Counsel and "has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants," Clayton said.
"More broadly, the agency is evaluating its cybersecurity risk governance structure, which has included the establishment of a senior-level cybersecurity working group and may include additional enhancements to promote the management and oversight of cybersecurity across the SEC, divisions and offices," Clayton said.
The EDGAR audit
The OIG’s September 28 report on its audit of EDGAR, while not entirely made public – some material was redacted for public release because the report contains sensitive information about the EDGAR system – nonetheless identified a number of areas where EDGAR fell short. The report’s executive summary lists five such areas, but the writing in some cases is general and/or somewhat cryptic, so it cannot be determined to what extent these areas are security related. Those listed are:
The SEC’s governance of EDGAR system enhancements needs to be improved;
The agency’s Office of Information Technology "did not consistently manage the scope of EDGAR system releases to ensure SEC needs were achieved;"
The SEC should improve its management of the EDGAR system engineering contract;
OIT did not fully and consistently implement EDGAR system enhancements in compliance with federal and SEC change management controls; and
A new electronic disclosure system needs further improvements.
The audit report recommended nine steps that the SEC should take to resolve these EDGAR issues, including:
More clearly defining the EDGAR system governance structure;
Enhance the relevant lessons learned process;
Improve EDGAR system scope management processes; and
Address constraints impacting the timely completion, review and approval of the EDGAR redesign program’s contract deliverables.
The OIG said that SEC management concurred with the recommendations.